Ask HN: Found security flaws but vendor seems not to care. What should I do?

43 points by throwawayCBNaT9 ↗ HN
I've found some web app vulnerabilities to some high profile services in my country, but the vendor doesn't seem interested in fixing them as 6 months have passed and they claim to have other things to do, which, judging by the announcements on the main page, is finishing missing features.

The fixes to the flaws that allow for iterative exfiltriation of PII are trivial to implement as well. The others are simple reflected XSS's.

What is the most appropriate course of action here?

40 comments

[ 5.7 ms ] story [ 114 ms ] thread
IMO, post to the Full Disclosure mailing list[1]. I'd do it anonymously if worried about legal action, but sign the message with a new PGP key. That way I can claim the discovery later if that becomes advisable.

[1] http://seclists.org/fulldisclosure/

This is a very good way to end up paying damages or going to jail, please do not post it to any public sources without seeking legal counsel.
What argument would they use to put you in jail?
Violating what ever computer crime acts are relevant to the OP.

Responsible disclosure isn’t codified in law, even bug bounties do not somehow exempt you from criminal prosecution they just make it less likely as long as you follow their guidelines at least.

Finding a vulnerability is not a crime.
Finding a vulnerability in a website and PoCing can be very much a crime. Finding a vulnerability in a product you own can also be constituted a crime under the DMCA or any other legislation that protects intellectual property and specifically prohibits reverse engineering.

The only difference is that companies elect not to file complaints which lead to charges being filed when this is done properly.

I've handled bug bounty payouts on both sides, I've sat on a advisory board for a national CERT (my employer held the seat not by name), and I've seen quite a few cases of bug bounty and reported submissions go wrong really fast for as something as silly as poorly constructed language or someone being overly pushy.

The OP here found a vulnerability that discloses PII of other users, if this is actual PII as defined by law in their jurisdiction well then they again just potentially commited a crime. By the nature of the vulnerability "iterative exfiltriation of PII" I'm assuming they found some direct access to a resource like a profile page, invoices, or something similar which means that they've found a vulnerability, exploited it during a proof of concept and retrieved PII data, all of this falls under unauthorized and criminal access if not handled correctly.

Usually when you have a vulnerability which requires actionable exploitation to prove and you access any type of information especially one that is regulated by law you want to document everything you've accessed and provide those details in the disclosure as they would have to notify the people whose information has been exposed in the least if not their entire customer base.

(comment deleted)
I thought "responsible disclosure" was a marketing term..?
It is there is, technically the act of finding vulnerabilities especially over a network is a violation of every computer crime legislation I know off.
Yes and no.

No, it's a descriptor. In the debate about the best way to handle knowledge of vulnerabilities, there arose a vaguely-bounded subset practices that got this name.

Yes, it's also great marketing. Whatever has the name implies that it's the best of all possible alternatives, fait accompli.

Yes, it's used to castigate hackers who don't do exactly what the vendor wants. And the more common term now is "coordinated disclosure".
Assuming the lawyers are cautious and risk-averse (as they should be), their counsel will be pretty predictable: don’t do it.

On the other hand, if we’re speaking just about doing it anyway, it’s basically trivial to do this as the commenter described without ever being caught. Publicly claiming the PGP signature later will obviously not be trivial, but you can easily send one anonymous email without ever being caught.

If someone wants to do this out of a sense of personal ethics, and doesn’t mind restrictions on legally claiming it later on, I’d say go for it. An anonymous email is not a high operational security bar to pass for someone technically competent enough to find a security issue, especially if it’s only once.

The PGP signature is a pretty bad idea if this goes criminal, and since they've already reported the vulnerability via less than anonymous means they can be tracked.

The correct way to handle it is to contact the relevant CERT team in your country usually on a national or state level.

And if it's regulated industry or information (PII is) you can also contact the relevant regulator.

Publishing a functional exploit that can be used to gain access to PII on an open mailing list isn't just illegal it's also unethical.

This advice is quite indicative of anyone who never handled disclosures from either side of the aisle.

You need to understand there could be good reasons why you might not get a reply to a reported vulnerability, including the fact that the legal team and or the authorities put a gag on it. You don't know what language was used in the initial report and what information they've accessed. In many jurisdictions especially in the EU you are actually required to report the incident even if it's under a "bug bounty" program to the authorities if regulated information has been exposed. They may allow you to handle it through your BB program (but they also remind you that you'll be liable for any mishaps in the handling of the incident) they may elect to tell you to stop all contact and hand it over, your own legal department might say they don't like the language used or some other things raised a red flag like "I've downloaded your entire DB as a PoC"....

I really don't understand why people on HN elect to give such poor advice on a subject that while unlikely but can go south really bad on a whim.

> The PGP signature is a pretty bad idea if this goes criminal, and since they've already reported the vulnerability via less than anonymous means they can be tracked.

No it isn’t. Make a new key-pair for the signature. This key-pair will also be anonymous. Best of both worlds: still anonymous, but you keep the option to positively claim it later.

The fact that they’ve spoken about it on HN somewhat deanonymizes them, sure, but perhaps not meaningfully so yet. The OP needs to secure against a private company’s security and legal teams, not a theoretically omniscient naion state. If he used an alternate IP address for this throwaway, he’s still basically fine.

> I really don't understand why people on HN elect to give such poor advice on a subject that while unlikely but can go south really bad on a whim.

This isn’t poor advice. Speaking for myself, I choose to give this advice as a security professional and someone who has had to make various disclosures, both “responsible” and “full”, and of the latter, with and without the cooperation of the company.

They've already contacted the company and reported the vulnerabilities, and likely were much less anonymous in the process.

Generating PGP keys for future claim would require you to keep a copy of the private key, this copy can be seized if a criminal investigation does happen.

>This isn’t poor advice. Speaking for myself, I choose to give this advice as a security professional and someone who has had to make various disclosures, both “responsible” and “full”, and of the latter, with and without the cooperation of the company.

So have I and this is a poor advice, especially these days with some of the regulation that is popping up. The line which differentiates between a paid bounty or a PR piece on your website and criminal prosecution is how you handle the situation the law applies identically to both there are no legal provisions for doing unsolicited penetration testing because you say you're a good guy, heck in the UK for example the exemption form that companies sign do not actually exempt the individual tester from being prosecuted by the crown it can only be used as a legal defense, in Germany the possession of "hacking tools" is illegal without a cause, and there are tons of other nuances for each and other country and jurisdiction in the world.

Telling people to just post stuff on seclists especially after already being in contact with the company is a terrible idea, so while I do appreciate you might have had different experience it doesn't mean you handled it correctly nor does it mean you are giving a sage advice.

My chaotic good character says release it! Or at least write a blog post about it, how it is exploitable etc. but either don't give the information about company or preferably say who it is, proof that this can be done but don't give any information how to do it. When it will get to general public the company should realise that they're pants are on fire.

My solution is not the politically correct way of doing it but I think that people who don't care about security should be punished

Blog it! Vendors uniformly crave +ve blog coverage, and fear -ve coverage. If you put together a blog post full of vendor and product names and tech detail on the vulnerabilities, designed for high PageRank, you'll soon have their attention. You'll probably tire very quickly of them begging you to remove or edit the post. The PR saying "no such thing as negative publicity" doesn't apply in our industry sector!
Do they know any personal information about you from your exchanges so far? If so, be careful because you might be liable if you disclose any vulnerabilities.
Thank you for the input. They do. I'm in the EU, are you aware of any issues that I may face if I choose to disclose it?
This sounds like the kind of thing the EU has laws for, where a company is legally mandated to fix vulnerabilities that may reveal personally identifiable information if made aware of these. Worth asking someone who's more of a lawyer than I am about that (since I am definitely not a lawyer).
Release it, in order to force a fix. If they won't do their due diligence and it's possible to exploit, nothing stops a malicious actor from taking advantage if they discover it. In the case of public disclosure, it forces them to acknowledge and fix the problem.
Go to the press. If the service is high profile enough, they'll be happy to post about it, and that will get a response. Works in my country.
Contact some organisation (e.g. EFF or Chaos Computer Club) which specialises in that stuff in order to save yourself from being sued by the vendor.
First, and this is very important, send them a new mail disclosing the vulnerabilities that says in clear words that if you do not get a response on this in a fixed number of days, you will go public with your disclosure. Send that mail to everyone concerned in the org.

If you do not get a response, then go ahead and make a blog post about it. Be sure to mention that you failed to get a response from the org in the post.

I would not put a blog post about it, since an injunction would be enough to get it taken down.

I would email a security list since email is not retractable once sent.

(comment deleted)
If the service is publicly available to people, I doubt it would matter. Vulnerabilities are disclosed daily for publicly available services. I remember someone publicly disclosing the vulnerabilities in the Indian government's Aadhar app, a public service, on twitter a few days back. I doubt they took down his tweets.

If the service is not publicly available or is some kind of internal, enterprise tool, then it would be a different matter.

If you don't want to go "public" first, you could contact their customers directly. Let them go after the vendor for a fix, and in the meantime they can develop their own mitigations. Even if the vendor still doesn't cooperate, you can delay going public until the high-profile users have protected themselves.
What do you mean by "iterative exfiltriation"?

Does this mean PII can be extracted by an attacker one user at a time?

Sell it to the U.S. government
You're in the EU and the vulnerability affects PII, so I'd recommend informing your country's Data Protection Authority of the risk.

If you make a public disclosure, you are at risk of being bullied by lawyers at the very least. Handing the issue over to the regulators might be more or less effective than making a public disclosure, but it should offer you some protection against liability and legal threats. As I understand it, most EU member states have some form of legislation to protect whistleblowers against defamation suits.

http://ec.europa.eu/justice/data-protection/article-29/struc...

This is the best answer - after contacting the business with your real name I wouldn't release any information about this to the public.
What makes you so sure fixes are trivial? Do you know what their code looks like? How big their team is? What resources they have available to devote to this? What their runway looks like? What pressures they're under from investors?

In a legacy codebase, even the smallest change can introduce all sorts of problems; and a small change to output or business logic can require disproportionately large changes to code. They may simply have determined that finishing the feature changes they think they need for their business to survive is more important than protecting against exploits that they consider either unlikely or low-value.

And how acceptable this is may depend in large part on what the service in question is and how broadly it's used. The lack of concern you describe would be totally unacceptable from a bank or even Twitter, but perhaps excusable (at this stage) from an early stage company trying to build the next Twitter.

Do not post it to any public resource you can go to jail for that.

Your course of action should be:

1) Understanding the legal framework in your country supporting the disclosure of vulnerabilities.

2) Contacting your country’s CERT team or EUCert if you are in the EU.

Beware: I'm not a Lawyer.

Well, if you're in the EU then GDPR [1] will be enforceable from 25 May 2018, so it is my noob understanding that the vendor you're dealing with will, sooner or later, be the subject of regular periodic data protection audits and will be forced to have a Data Protection Officer. Not sure if necessary, but you may contact ENISA [2] to be advised on how to proceed.

[1] https://en.m.wikipedia.org/wiki/General_Data_Protection_Regu...

[2] https://en.m.wikipedia.org/wiki/European_Union_Agency_for_Ne...

You have a few options but it's first and foremost important to understand laws related to "hacking" in your country.

Your first option is simply to let it go. It might not be worth your time, energy and risk to pursue this. Certainly if the vulnerabilities are not high risk. You already did the right thing by notifying them. It's the company choice to accept the risk of not fixing the vulnerabilities.

You can file the finding with your local CERT, they might be able/helpful to coordinate.

You can go full disclosure with it, if you accept the risk the company might sue you. Even if you're in the right, it might cost you a lot of time, money and anxiety before the court says you are. See option 1.

Notification to the authority responsible for enforcing GDPR or local privacy authority might be worthwhile, it depends.

Also, what kind of PII are we talking about?

Fuck em. Move on. #yolo
I’m curious why this post got flagged? It seems an appropriate question to me?